Privacy Risk Report

Tressler’s Privacy Practice Group brings you recent developments and insights on cyber liability, privacy and data storage.

The Illinois Supreme Court issued a much-anticipated opinion in Tims v. Black Horse Carriers, Inc., 2023 IL 127801 on February 2, 2023. Tims settles — once and for all — the burning question of which statute of limitations applies to claims advanced under the Illinois Biometric Information Privacy Act (“BIPA”). Under the appellate opinion, Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, BIPA litigants were arguably subject to two putative class periods depending on which BIPA violations were alleged.  But that is now over. All BIPA claims are subject to a five-year statute of limitations. Period. End of Story. Except in
Continue Reading The Statute of Limitations Debate is Over But That’s Not All Tims Does

On March 8, 2022, the Northern District of Illinois issued an opinion in State Auto. Mut. Insur. Co. v. Tony’s Finer Foods Enter., Inc., et al., 20-CV-6199, 2022 WL 683688 (N.D. Ill. Mar. 8, 2022) again addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq. The Northern District of Illinois previously addressed similar issues but rendered differing opinions in Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022) and
Continue Reading Split Emerging Within Northern District of Illinois Concerning Application of ERP Exclusion in BIPA Lawsuits

On March 1, 2022, the Northern District of Illinois issued an opinion in Citizens Insur. Co of Am., & Hanover Insur. Co. v. Thermoflex Waukegan, LLC, 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022) addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

In Thermoflex, an employee filed a class-action lawsuit against its employer in Illinois state court, alleging that his employer collected its employees’ handprint data in violation of BIPA. The employer collected the handprint data for purposes
Continue Reading Northern District Injects Confusion as to Whether Insurers Can Rely on the Employment-Related Practices Exclusion to Preclude Coverage for an Employee BIPA Suit

In McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, the Illinois Supreme Court issued an opinion finding the exclusive remedy provisions of the Illinois Workers’ Compensation Act (“Compensation Act”) 820 ILCS 305/1 et seq. does not bar an employee’s claim for statutory damages under the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

An employee filed a class-action lawsuit against her employer for violating BIPA. Her employer required its employees to use a biometric timekeeping system in order to scan an employee’s fingerprint for purposes of authenticating an employee and tracking their time at work. The
Continue Reading The Illinois Workers’ Compensation Act Does Not Bar An Employee’s Claim Under BIPA

On January 7, 2022, the Northern District issued an opinion regarding whether the claims contained in a lawsuit alleging the violation of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq., were covered under a Businessowners’ Liability Policy. An employee of the insured filed a class action complaint in Kankakee County, Illinois, against the insured for violating BIPA. The insured required its employees to use a biometric time clock system to record their time. This system required the insured’s employees to scan their fingerprints to clock in and clock out. This information was then disclosed to the
Continue Reading Northern District of Illinois Finds Employment-Related Practices Exclusion Applies to BIPA Suit

“Publication” has always been an important consideration under the Personal Injury prong of commercial general liability policies (“CGL”). Likewise, questions related to “publication” are growing in importance in litigation involving Illinois’ Biometric Information Privacy Act (“BIPA”). For example, Illinois courts have previously found that BIPA claims involving “publication” of biometric information to a third party may trigger coverage under the “personal injury” definition of CGL policies. And now, a recent Illinois Court of Appeals decision has found BIPA violations involving “publication” are subject to a one-year statute of limitations. This recent development may beg the question as to how multiple
Continue Reading Did An Illinois Court Intend To Limit Coverage For BIPA Claims Under CGL Policies To One Year?

In a decision last week entitled Landry’s, Inc. v. The Ins. Co. Of The State Of Pennsylvania, No. 19-20430, 2021 WL 3075937 (5th Circ., July 21, 2021), the Fifth Circuit Court of Appeals found coverage under a CGL Policy for a traditional data breach. More particularly, the Fifth Circuit held the insurer has a duty to defend Landry’s in the litigation that resulted from a breach incident involving credit card information. This case marks a departure from the general premise that there is no coverage to be found under CGL policies for liability resulting from “classic” data breach incidents.
The
Continue Reading Fifth Circuit Rejects Insurance Carrier’s Arguments As “Salami-Slicing Distinctions” In Finding Coverage For Breach Of Contract Claims Related To Data Breach

On May 20, 2021, the Illinois Supreme Court delivered its opinion in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978[1] regarding whether the claims contained in a lawsuit alleging the violation of the Biometric Information Privacy Act (“BIPA”) were covered under a business owners’ liability policy.
In the underlying lawsuit, Klaudia Sekura (“Sekura”)[2] filed a class-action suit against Krishna Schaumburg Tan, Inc. (“Krishna”), a tanning salon and franchisee of L.A. Tan for violating BIPA by requiring its customers, including Sekura, to scan their fingerprints without first getting their signed, written release to allow
Continue Reading Illinois Supreme Court Finds “Publication” In Some BIPA Claims

The Indiana Supreme Court became one of the first state high courts to weigh in and issue a decision on whether crime insurance provides coverage for ransomware attacks. The trial court’s ruling in favor of Continental Western Insurance Co.’s motion for summary judgment upheld the denial of G&G Oil Co.’s bid for coverage. The Supreme Court remanded the case because further fact-finding was necessary to uncover the “fraudulent” nature of the hacker’s actions. It was important to determine how the hacking was conducted. Therefore, until this information is uncovered, neither party was entitled to summary judgment.
The case arose out
Continue Reading Hack Attack: Indiana Supreme Court Examines Ransomware Coverage 

There is no question that the Illinois Biometric Information Protection Act of 2008 (“BIPA”) has given rise to a number of unique questions under both privacy law and insurance law. First, many data collectors caught in the crosshairs of BIPA are surprised to learn this law has been in effect since 2008. Further, a substantial amount of the technology that now creates BIPA issues was not invented or, at least, was not publicly available in 2008. It is unclear if the Illinois legislature envisioned the significant class-action litigation that has sprouted from alleged BIPA violations. Further, BIPA has brought even
Continue Reading The Illinois Legislature and the Illinois Supreme Court Take Steps to Bring Balance to BIPA

While this year has been an unpredictable year for all data collectors, it has been especially harsh for public and private schools. In addition to various obligations on all data collectors, schools hold sensitive information belonging to children that require more obligations.  Schools must balance these obligations as they lead their students and employees through online learning during 2020. That is, to continue teaching children, most schools have had no choice but to rely on third-party applications that require entrusting this sensitive data to outside vendors. Further, many schools are facing new state laws requiring schools more steps be taken to protect
Continue Reading Hackers See Opportunity In Attacking Schools As They Teach Through A Pandemic

While data collectors had no time to prepare for employees to start working from home in early 2020, there is time to prepare for the shift back to the office.
Without a doubt, many data collectors are struggling with the cybersecurity risks created by employees shifting from the office to their homes in 2020. Interestingly, despite having no time to prepare for the shift home in early 2020, we have not heard much news about breaches or other incidents.  Nevertheless, data collectors can be certain that cybersecurity issues created by employees using sensitive data while working remotely are out there. These
Continue Reading We Are Just Beginning To Understand The Privacy Threats Created By Working From Home

On September 18, 2020, the Illinois Court of Appeals, First District, took another shot at reconciling some of the inconsistencies in the application of Illinois’ Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq. (West 2018)) to the workplace. The interlocutory appeal in McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1st) 192398 (Sept.18, 2020), put a single issue before the First District: “Do[] the exclusivity provisions of the Workers’ Compensation Act bar a claim for statutory damages under [BIPA] where an employer is alleged to have violated an employee’s statutory privacy rights under [BIPA]?”  However, the First
Continue Reading Missed Opportunity? Illinois Court Issues Limited Finding That Workers’ Compensation Act Does Not Preempt Claims For Statutory Damages Under BIPA But Does Not Address How Actual Damages Should Be Addressed Under BIPA

It is difficult to believe the Illinois Biometric Information Protection Act, 740 ILCS 14, (“BIPA”) has been in effect for more than 10 years since October 3, 2008. Many data collectors are surprised BIPA has been in effect for all these years. Issues related to biometric data have only recently grown into a major concern as the equipment that collects biometric data has evolved to the point that it can be found in a number of Illinois workplaces and businesses. To this point, the central issue in most of the BIPA cases involved allegations that data collectors collected and stored
Continue Reading New Lawsuit Alleges BIPA Violations Result From Macy’s Reliance On Clearview AI To Scrape Information

Data collectors constantly struggle to balance the need for honest self-critiques of their data protection safeguards with the desire to not generate information that may be used in litigation. Indeed, it is encouraging to see a number of data collectors hiring third-party experts to look at safety measures and issue reports on their findings before there is an incident. Of course, these reports are only useful if they include an honest assessment of a data collector’s incident response preparation, digital forensics and incident remediation.  Understandably, there is trepidation that the findings in the reports may be used to establish liability
Continue Reading Courts Continue To Find Third-Party Reports Generated Before And After Privacy Incidents Are Not Protected From Discovery   

The latest decision related to Illinois’ Biometric Information Protection Act (“BIPA”) was issued by the Illinois Court of Appeals on June 16, 2020, in a matter entitled Cothron v. White Castle System, Inc, 2020 WL 3250706 (June 16, 2020). Latrina Cothron (“Cothron”) began working at White Castle in 2004 and was still a manager at the time she filed suit. As a side note, the Cothron matter differs from many BIPA suits to the extent the plaintiff remains an employee before and after filing suit. Many BIPA cases involve claims by former employees that were terminated prior to bringing suit.
Continue Reading White Castle’s Motion To Dismiss Denied In BIPA Litigation